The Group of Seven industrial powers wrote up a basic, yet foundational, cybersecurity strategy and operational framework document. It is intended to be the building blocks of consistency across the financial sector and includes 8 basic elements of cybersecurity practice. This 3 page paper, G7 Fundamental Elements of Cybersecurity for the Financial Sector, makes recommendations which are drawn from the established best practices for cybersecurity.
The elements covered in the paper are:
- Cybersecurity Strategy and Framework
- Risk and Control Assessment
- Information sharing
- Continuous Learning
This is a good list. There is nothing new from a practices perspective, as all these are part of an effective cybersecurity program, but I found two details to be interesting and telling of where the financial sector is heading.
First, the G7 recommends governance bodies, such as boards of directors, to establish their ‘cyber risk tolerance’ for entities they oversee. This is a huge step upwards in the maturity ladder. Most organizations treat security as a function of addressing vulnerabilities to eliminating risk. This is rudimentary thinking. Risks are managed (mitigated, accepted, transferred, etc.) but not eliminated altogether. That would be far too costly and impactful, if not outright impossible. It takes a mature organization to realize they are seeking an optimal balance for the risks they face, with tradeoffs between cost/risk/usability. To outright state leaders should quantify their ‘risk tolerance’ or sometimes referred to as ‘risk appetite’ is a momentous step towards understanding the realities of cybersecurity and identifying a realistic target for the program.
Second, the G7 recommended deep information sharing with internal and external shareholders, including public authorities outside the financial sector. Many barriers have plagued initiatives to share sensitive security information within this community. It is important and valuable, as sharing attack data in a timely fashion becomes the ‘canary in the coalmine’ that can act as an early warning sign to the rest of the community, which greatly reduces overall losses. This recommendation is a sign that these countries will work to overcome the entrenched bias and limitations to good threat sharing. If the financial sector can make this happen, then it can work in just about every other sector of the economy as well.
Both of these areas represent a leadership direction that is forward-thinking and rooted in good cybersecurity practices. Although the paper is brief, the real benefit will be in the outcomes it drives across the global finance sector.